From 4c8eaba75ac980805e0ab844afff5c062359d7ad Mon Sep 17 00:00:00 2001 From: Nick Kralevich Date: Thu, 18 Oct 2018 15:07:40 -0700 Subject: [PATCH] start enforcing ioctl restrictions on blk_file Start enforcing the use of ioctl restrictions on all Android block devices. Domains which perform ioctls on block devices must be explicit about what ioctls they issue. The only ioctls allowed by default are BLKGETSIZE64, BLKSSZGET, FIOCLEX, and FIONCLEX. Test: device boots and no problems. Change-Id: I1195756b20cf2b50bede1eb04a48145a97a35867 --- private/apexd.te | 1 + public/domain.te | 8 ++++++-- public/e2fs.te | 7 +++++-- public/fsck.te | 7 +++++++ public/init.te | 1 + public/vold.te | 1 + 6 files changed, 21 insertions(+), 4 deletions(-) diff --git a/private/apexd.te b/private/apexd.te index 32efb9882..3bfc3cdaf 100644 --- a/private/apexd.te +++ b/private/apexd.te @@ -14,6 +14,7 @@ allow apexd apex_data_file:file rw_file_perms; allow apexd loop_control_device:chr_file rw_file_perms; # allow apexd to access loop devices allow apexd loop_device:blk_file rw_file_perms; +allowxperm apexd loop_device:blk_file ioctl LOOP_GET_STATUS64; # allow apexd to access /dev/block allow apexd block_device:dir r_dir_perms; diff --git a/public/domain.te b/public/domain.te index 355ec078f..fefca843b 100644 --- a/public/domain.te +++ b/public/domain.te @@ -310,7 +310,7 @@ allowxperm domain devpts:chr_file ioctl unpriv_tty_ioctls; # All domains must clearly enumerate what ioctls they use # on filesystem objects (plain files, directories, symbolic links, # named pipes, and named sockets). We start off with a safe set. -allowxperm domain { file_type fs_type domain dev_type }:{ dir notdevfile_class_set } ioctl { FIOCLEX FIONCLEX }; +allowxperm domain { file_type fs_type domain dev_type }:{ dir notdevfile_class_set blk_file } ioctl { FIOCLEX FIONCLEX }; # Allow a process to make a determination whether a file descriptor # for a plain file or pipe (fifo_file) is a tty. Note that granting @@ -319,6 +319,10 @@ allowxperm domain { file_type fs_type domain dev_type }:{ dir notdevfile_class_s allowxperm domain { file_type fs_type }:file ioctl { TCGETS }; allowxperm domain domain:fifo_file ioctl { TCGETS }; +# If a domain has access to perform an ioctl on a block device, allow these +# very common, benign ioctls +allowxperm domain dev_type:blk_file ioctl { BLKGETSIZE64 BLKSSZGET }; + # Support sqlite F2FS specific optimizations # ioctl permission on the specific file type is still required # TODO: consider only compiling these rules if we know the @@ -354,7 +358,7 @@ allow domain apex_mnt_dir:lnk_file r_file_perms; # All ioctls on file-like objects (except chr_file and blk_file) and # sockets must be restricted to a whitelist. -neverallowxperm * *:{ dir notdevfile_class_set socket_class_set } ioctl { 0 }; +neverallowxperm * *:{ dir notdevfile_class_set socket_class_set blk_file } ioctl { 0 }; # b/68014825 and https://android-review.googlesource.com/516535 # rfc6093 says that processes should not use the TCP urgent mechanism diff --git a/public/e2fs.te b/public/e2fs.te index ea9981dd0..601af16d2 100644 --- a/public/e2fs.te +++ b/public/e2fs.te @@ -7,6 +7,9 @@ allow e2fs dev_type:blk_file getattr; allow e2fs block_device:dir search; allow e2fs userdata_block_device:blk_file rw_file_perms; allow e2fs metadata_block_device:blk_file rw_file_perms; +allowxperm e2fs { userdata_block_device metadata_block_device }:blk_file ioctl { + BLKSECDISCARD BLKDISCARD BLKPBSZGET BLKDISCARDZEROES BLKROGET +}; allow e2fs { proc_filesystems @@ -18,5 +21,5 @@ allow e2fs { allow e2fs sysfs_fs_ext4_features:dir search; allow e2fs sysfs_fs_ext4_features:file r_file_perms; -# access sselinux context files -allow e2fs file_contexts_file:file { getattr open read }; +# access SELinux context files +allow e2fs file_contexts_file:file r_file_perms; diff --git a/public/fsck.te b/public/fsck.te index 32462ea5b..dbbe34cdc 100644 --- a/public/fsck.te +++ b/public/fsck.te @@ -19,6 +19,13 @@ allow fsck userdata_block_device:blk_file rw_file_perms; allow fsck cache_block_device:blk_file rw_file_perms; allow fsck dm_device:blk_file rw_file_perms; +# For the block devices where we have ioctl access, +# allow at a minimum the following common fsck ioctls. +allowxperm fsck dev_type:blk_file ioctl { + BLKDISCARDZEROES + BLKROGET +}; + # To determine if it is safe to run fsck on a filesystem, e2fsck # must first determine if the filesystem is mounted. To do that, # e2fsck scans through /proc/mounts and collects all the mounted diff --git a/public/init.te b/public/init.te index 430b120ef..ad8ced949 100644 --- a/public/init.te +++ b/public/init.te @@ -117,6 +117,7 @@ allow init self:global_capability_class_set { sys_rawio mknod }; # Mounting filesystems from block devices. allow init dev_type:blk_file r_file_perms; +allowxperm init dev_type:blk_file ioctl BLKROSET; # Mounting filesystems. # Only allow relabelto for types used in context= mount options, diff --git a/public/vold.te b/public/vold.te index 8d52a31a7..764523991 100644 --- a/public/vold.te +++ b/public/vold.te @@ -99,6 +99,7 @@ allow vold self:global_capability_class_set { net_admin dac_override dac_read_se allow vold self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl; allow vold loop_control_device:chr_file rw_file_perms; allow vold loop_device:blk_file { create setattr unlink rw_file_perms }; +allowxperm vold loop_device:blk_file ioctl LOOP_GET_STATUS64; allow vold vold_device:blk_file { create setattr unlink rw_file_perms }; allow vold dm_device:chr_file rw_file_perms; allow vold dm_device:blk_file rw_file_perms;